Enable global_csrf_token Feature flag
What
Remove the :global_csrf_token
feature flag ...
-
Deploy this patch with :global_csrf_token
FF disabled. (Done with !33454 (merged)) -
Once all Rails servers are on 6.0.3.1, enable :global_csrf_token
FF. -
On GitLab 13.2, remove this patch
Owners
- Team: Configure
- Most appropriate slack channel to reach out to:
#development
- Best individual to reach out to: @tkuah
Expectations
What are we expecting to happen?
POST requests continue to work after the feature flag is enabled for both:
- CSRF tokens generated before the feature flag is enabled
- CSRF tokens generated after the feature flag is enabled
What might happen if this goes wrong?
Non-GET request start failing much like gitlab-com/gl-infra/production#2203 (closed)
What can we monitor to detect problems with this?
Is there a dashboard to monitor for 401 responses ? Potentially Requests by Status Class
Also using Kibana: https://log.gprd.gitlab.net/goto/217a036be8ac8db3f466364438c3b5ec
Beta groups/projects
If applicable, any groups/projects that are happy to have this feature turned on early. Some organizations may wish to test big changes they are interested in with a small subset of users ahead of time for example.
N/A
Roll Out Steps
-
Enable on staging -
Test on staging -
Ensure that documentation has been updated => !34116 (merged) - [-] Enable on GitLab.com for individual groups/projects listed above and verify behaviour
-
Coordinate a time to enable the flag with #production
and#g_delivery
on slack. -
Announce on the issue an estimated time this will be enabled on GitLab.com -
Enable on GitLab.com by running chatops command in #production
-
Cross post chatops slack command to #support_gitlab-com
(more guidance when this is necessary in the dev docs) and in your team channel -
Announce on the issue that the flag has been enabled -
Remove feature flag and add changelog entry -
After the flag removal is deployed, clean up the feature flag by running chatops command in #production
channel
Edited by Thong Kuah